From owner-freebsd-questions Tue Nov 19 19:02:50 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA28331 for questions-outgoing; Tue, 19 Nov 1996 19:02:50 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA28324 for ; Tue, 19 Nov 1996 19:02:42 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id WAA02531; Tue, 19 Nov 1996 22:01:18 -0500 Date: Tue, 19 Nov 1996 21:01:17 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: Carey.Nairn@its.utas.edu.au cc: FreeBSD Questions Subject: Re: sendmail security problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I believe that -stable and 2.1.6 are OK at this point, I grabbed /usr/src/usr.sbin/sendmail out and it had the patch against this exploit in it. There was a small problem that made the make break that I remedied by deleting a line, I believe that has been fixed... Here's what you'll see in your logs with the patched version if someone gives it a go: Nov 17 23:35:40 test sendmail[9466]: uid 1000 tried to start daemon mode Nice... Now I know who the sneaky users are... Charles On Wed, 20 Nov 1996, Carey Nairn wrote: > I have just seen a CERT advisory regarding a security problem with > sendmail as follows: > > AUSCERT has received information that sendmail versions 8.7.x to 8.8.2 > (inclusive) contain a serious security vulnerability. > > This vulnerability may allow local users to gain root privileges. > > Exploit details involving this vulnerability have been widely distributed. > > AUSCERT recommends that sites takes the steps outlined in Section 3 > as soon as possible. > - --------------------------------------------------------------------------- > > 1. Description > > A vulnerability exists in all versions of sendmail from 8.7.x to 8.8.2 > that allows local users to gain root privileges. > > A user can invoke sendmail in "daemon" mode by naming it to be "smtpd". > Due to a coding error, this bypasses the usual check that only root > can start the daemon. As of 8.7, sendmail will restart itself when > it gets a SIGHUP signal. By manipulating the environment in which > sendmail is run it is possible to force sendmail into executing an > arbitrary program with root privileges. > > AUSCERT has been informed that sendmail versions prior to 8.8.x are > no longer supported. Sites using older versions of sendmail will need > to upgrade to the current version of sendmail. > > .... > > I guess this means that FreeBSD version prior to 2.1.6 are vulnerable. > My question is what version of sendmail is shipped with 2.1.6 (and 2.2). > > Cheers, > Carey > > ========================================================================= > | Carey Nairn | email : Carey.Nairn@its.utas.edu.au | > | Infrastructure Services | phone : (03) 6226 7419 | > | Information Technology Services | fax : (03) 6226 7898 | > | University of Tasmania. | int'l : (+61 3) | > ========================================================================= > > > >